Password strategies: Who goes there?

by David Harley, ESET senior research fellow, May 23, 2011

If there's one thing that's become obvious in recent months, it's that the best password in the world is of little use if the site or service or organization that you access with it isn't taking proper care of it. And you can certainly argue (as I've done for many years) that static passwords are an unsatisfactory form of authentication at the best of times. However, that's no reason not to make your passwords as secure as possible, where you have to use them, and it so happens (this may not be totally coincidental) that a few things have hit my radar recently that you may find useful in learning or teaching good password practice.

The SANS Institute has, for some years, put out a newsletter called OUCH! which it describes as a “free security awareness newsletter designed for the common computer user.” The May issue, edited by Eric Cole, is devoted to “Protecting Your Passwords,” and includes some excellent advice.

A couple of comments that have been made recently in response to these that bear repeating:

If you use a password manager program, you certainly need to be sure that you have some kind of backup of your password file and/or your protected data, in case of some kind of failure to the primary program or the system on which it's held. (Hat tip to Dave Montgomery.)

Passphrases rule. Passwords drool. (Hat tip to Dave Marcus.)

Paul's article looks at the generation of random strings, and intelligent use of passphrases rather than passwords as an additional way of increasing entropy: While entropy is not exactly synonymous with randomness, the unpredictability of a passphrase is a measure of its strength, and a long, random phrase that includes a wide range of symbols is, by definition, more difficult to guess by orders of magnitude than a single six-letter word or a four-digit PIN. However, entropy is not the only factor. Choosing a password is a compromise between the highest possible entropy and the influence of limiting factors, such as password/phrase length and the range of symbols available, such as:

Numbers only

English alphabetical characters only

Alphanumeric symbols

Alphanumeric symbols with special characters (spaces, punctuation and so on)

Extended ASCII character set

Which reminds me that Nora Lucke, with whom I worked many years ago in the IT unit at a medical research organization, suggested to me a while ago a strategy that worked quite well for her customers in an academic context where choosing a password was severely constrained by system requirements. She described it as follows (I've paraphrased and expanded here and there):

It depends on using an address - any address OTHER than one's own current address. It goes like this:

Write down the address, in mixed case, with no spaces

Cross out all the vowels

Count the first 8 characters [Assuming a system that requires the use of an eight-character password].

For example, 147 Long Hill comes out as 147LngHl.

This gives a pseudo-random password which is simple to use and remember, and using an aide-memoire such as “Bob's last-but-one address” or “Flo's old house” is of no use to anyone who doesn't know a great deal about you, especially if you don't leave it somewhere tagged with some giveaway phrase like “my password for BoA.” You can boost the entropy by using some of the interleaving, interposing and/or substitution tricks described in “Keeping Secrets,” of course, though if you're going to use this so as to use different passwords in different contexts (recommended!), you need to ensure that you use a consistent algorithm. And, of course, addresses are a convenient “seed” since they normally include numbers, but there are obviously other possibilities other than an address-book cipher.

My apologies: that last clause is almost too esoteric a play on words even for me... It does lead me to think that such algorithms could be a good starting point for describing more complex encryption techniques. However, this is as close to crypto-geek as I plan to get in this particular article.

Get SC Media delivered to your inbox

SC Media Featured White Paper of the Day

SC Media Newswire

SC Media Product/Industry Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.